[Zope] Re: CookieCrumbler problem

Gordon Lai lai at library.ucsf.edu
Thu Oct 14 18:47:17 EDT 2004 

Hi Tres,

Thanks for your reply, but login.html isn't protected. I do get a Not 
Authorized page when I cancel the basic auth dialog popup, though, but I 
assume that shows up because I didn't login to the protected folder. Any 
other suggestions? Thanks for suggesting VerboseSecurity.

Gordon

Tres Seaver wrote:

> Gordon Lai wrote:
>
>> Hi,
>>
>> I'm having a problem with CookieCrumbler 1.24. I'm trying to use it 
>> with Zope 2.7.2, Python 2.3.4, and LDAPUserFolder 2.4beta3. I want CC 
>> to show my login.html when a user accesses a protected folder, but 
>> this doesn't happen; the basic auth dialog still pops up. I enter a 
>> username and password that authenticates correctly with my LDAP 
>> server and then my login.html shows up. On this page I have to enter 
>> a correct username, but then any gibberish in the password field will 
>> allow me to login; this basically means that the dialog box was doing 
>> the real login and this login.html wasn't doing much. I can then 
>> logout by clicking a link that calls a Python Script that calls 
>> logout() in CC (is this the correct way to logout? CC doesn't have 
>> any docs, so I perused its code and found logout()). But now when I 
>> try to access the folder again I get instantly logged out because I 
>> have code at the top of my index.html ZPT that detects if a session 
>> object exists, and if it doesn't it will logout the user. Since I've 
>> logged out, a session object does not exist. Basically, the login 
>> process is being completely bypassed and I'm hitting index.html 
>> directly.
>>
>> The correct login process that I have set up is as follows:
>>
>> 1) CC shows my login.html.
>> 2) The user logs in, which calls index.py.
>> 3) index.py creates a new session and then calls index.html
>>
>> This was working for some time before "something happened" and I am 
>> now seeing the above wrong behavior. What am I doing wrong?
>
>
> It sounds as though 'login.html' is protected;  what happens if you 
> cancel out when the basic auth dialog pops up?  What happens there is 
> that you get a 401 (because the login form is protected), and the 
> cookie crumbler doesn't intercept it (because it knows it is trying to 
> challenge already).  Then, when you supply basic auth credentials, 
> Zope renders the form, but at this point the browser is already 
> including the 'Authenticate:' header, which makes the login POST 
> handler irrelevant.
>
> BTW, I would recommend installing VerboseSecurity, if the traceback 
> doesn't give you enough information:
>
>   http://hathawaymix.org/Software/VerboseSecurity
>
> Tres.

More information about the Zope mailing list